Privacy policy

Author: 24 May 2018/J. Toikander
Date: 7 December 2018/J. Toikander
Approved: 11 December 2018/P. Nykänen
The EU’s General Data Protection Regulation (679/2016)
Personal Data Act (523/1999)

1. Controller

Suomen Ihosairaala Oy, Business ID 2801520-4
Salomonkatu 1, 00100 Helsinki, tel. +358 (0)10 4192 000

2. Name of data file

The patient register of Suomen Ihosairaala Oy (The Ihosairaala).
A patient register centrally maintained by Suomen Ihosairaala Oy and independent medical practitioners (or companies for which such practitioners are working) on the company’s behalf.

3. Person in charge of register, and contact details

Suomen Ihosairaala Oy
Salomonkatu 1, 2. krs, 00100 Helsinki
+358 (0)10 4192 000
Carl Kyrklund, Medical Director
Contact person:
Sanna Liukkonen, Head Nurse
+358 (0)10 4192 000

4. Purpose of processing personal data on the patient register, and principles behind its use and maintenance

The patient relationship forms the basis of maintaining the centrally maintained patient register. The purpose of the patient register is the examination of customers’ state of health and/or illnesses, the planning, implementation and monitoring of treatment, and the processing of the resulting data.
Where necessary, register data is also used for the processing of feedback/claims (if the data subject has disclosed personal data when presenting a claim), for handling official requests for clarification, and for the processing of patient safety incidents (if the data subject has been identified).
The processing of personal data is based on the controller’s statutory obligation to process personal data, on the patient’s consent thereto, or other appropriate circumstances. In addition, the patient register is used to ensure the due supervision of medical practitioners, and compliance with legislation, rules and regulations concerning healthcare activities.
The register is also used for the management, maintenance, development and statistical analysis of the controller’s customer relationships. The controller may use the register to develop its own business and services, and for marketing analysis and/or the calculation of customer numbers.
Legislation on the maintenance of the patient register:
Ministry of Social Affairs and Health Decree on Patient Documents, (298/2009), Act on the Status and Rights of Patients (785/1992), The Private Health Care Act (152/1990), Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007), Act on Health Care Professionals (559/1994), and the EU’s General Data Protection Regulation (679/2016) and the Personal Data Act (523/1999).

5. Data content of the register

Basic data of data subject:
Personal ID
Contact information (e.g. address, telephone number and email address)
Guardian of minor or next-of-kin named by data subject (name and contact information)
Consent of data subject for the processing and disclosure of personal data.
Statutory patient documents with treatment and examination data:
Data resulting from examination of the patient’s state of health and/or illness, and the planning, provision and monitoring of treatment
Laboratory test and referral data, and test results from central laboratory
Data based on the diagnosis, prescription, referral and statement
Documents and other data provided by the data subject on the treatment (e.g. photographs and data are digitally recorded in the patient system)
Time of entries in patient documents, name and position of maker of entry, and purpose of patient documents

6. Regular sources of data

Data provided by the data subject, or disclosed by the guardian in the case of an under-age data subject. The accuracy of personal data is checked during the patient’s visit.
In addition, the patient register includes data, reports and statements related to examinations and treatment.
Data and/or documents acquired from the Kanta Archiving Service or other healthcare units with the consent of the data subject.

7. Regular disclosures of data

The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007) obliges the controller to transfer patient document entries to the Kanta service for archival.
The data subject can use the My Kanta service to examine their data and to determine which parties can access their patient and prescription data via the Kanta service. (for further information, see
Patient data is confidential and persons involved in its processing are obliged to treat such data as confidential and secret.
In other circumstances, patient data is primarily disclosed with the written consent of the patient.
Patient data is directly disclosed to the person in question, unless this is forbidden by law. If the patient lacks the capacity to understand the implications of their consent to this, such data can be disclosed with the written consent of the patient’s legal representative.
On the basis of special legal requirements, patient data may be disclosed to public officials as follows: the Parliamentary Ombudsman, the National Supervisory Authority for Welfare and Health, Regional State Administrative Agencies and insurance institutions.
Notwithstanding the confidentiality obligations, the police have the right, on the basis of a justified request, to obtain data on the state of health of an individual when, for example, considering the validity of a driving licence or firearms permit, if there are grounds for suspecting that the holder no longer qualifies for such a permit.
In addition, notwithstanding the confidentiality obligations, patient data can be disclosed to public officials maintaining national registers, such as: cancer and infectious disease registers of the National Institute for Health and Welfare, and the register for adverse drug reactions of the Finnish Medicines Agency, Fimea.
Consent is not required for the disclosure of necessary data vital to the arrangement of treatment and examinations in another healthcare unit if, due to mental health issues, disability or other, similar reasons, the person in question lacks the capacity to consider giving their consent and has no legal representative. Or if the patient’s consent cannot be obtained due to their being in a state of unconsciousness or for a similar reason.
Register data is not disclosed to parties outside the European Union or European Economic Area.
In all cases, data is disclosed as paper printouts of digital patient documents during a personal visit, or on the basis of a patient document request form personally signed by the data subject. The identity of the data subject is always checked prior to the disclosure of data.

8. Rights of the data subject

Notwithstanding the confidentiality obligations, the patient/customer has the right to know what data concerning them has been recorded in the patient register (EU: General Data Protection Regulation, Personal Data Act §26–28).
My Kanta service
The data subject can view and inspect their data (patient document entries, test results and prescriptions) relatively easily and quickly using the My Kanta service. A data subject registered with the My Kanta service can define and restrict which parties are able to view patient and prescription data transferred to the service. (see for further details)
Right to inspect/obtain data
The patient has the right to see their patient data and to obtain it in written form.
Requests to inspect and obtain such data are made using a patient document request form. The form is submitted to the contact person mentioned in section 2 of the privacy policy. The identity of the person making the inspection request is verified before disclosing data. Data acquisition/inspection requests must be fulfilled without undue delay and the data must be disclosed in an understandable format. Where necessary, the data can be explained by a practitioner in the field. The patient document request form for data subjects can be printed out from the internet pages of the Ihosairaala, or obtained upon request from customer service at the Medical Centre during a personal visit there.
Right to rectification (correction)
Upon the request of the data subject, without undue delay the controller must rectify, correct, delete or supplement any data that is erroneous, unnecessary, incomplete or out of date Personal Data Act §29).
If a request for rectification has strong grounds, the patient is notified of the rectification of data recorded in the patient documents. Rectifications are made to the patient documents in compliance with the Ministry of Social Affairs and Health’s guidelines on the drawing up of patient documents (298/2009). If there are no grounds for the request for rectification, a certificate is issued giving grounds for refusing the request.
All requests for rectification must be presented in writing on a request for rectification form. The form is submitted to the contact person mentioned in section 2. The identity of the person submitting the request for rectification is verified prior to processing the issue. The data subject’s request for rectification must be printed out from the Ihosairaala‘s website, or obtained upon request from the medical centre.
Right to restrict the processing of patient data
The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare obliges the controller to transfer patient document entries to the national Kanta service (159/2007) for archiving.
The data subject can use the My Kanta service to define and restrict the parties able to view patient and prescription data via the Kanta service. (for further information see
The data subject can impose restrictions on the Ihosairaala‘s centralised patient register by personally requesting that their visit be kept confidential, or refusing consent for the recording of their data on the general register. They can do so in situations such as one in which the patient is awaiting the controller’s reply to a request for rectification or correction. In every case, the identity of the data subject is verified prior to taking action.
Rights of minors
The rights of minors respecting their personal data are defined in accordance with legislation governing the general right to be heard. Minors under 15 years of age who, given their age and stage of development, are capable of deciding on their treatment may exercise their right of inspection independently. If a minor capable of deciding on their treatment forbids the disclosure of their data to their guardian, the guardian will have no right to access or inspect the data on the minor’s patient register.
Consent and refusal
All data recorded on the patient register of Suomen Ihosairaala Oy is confidential and data subjects have no need to present specific bans on disclosing such data.
The data subject has the right to forbid the controller from processing their personal data for direct advertising, remote sales, other direct marketing and opinion polling purposes, or for vital records and genealogy studies
The patient/customer can withdraw their consent at any time.
Right to lodge a complaint with the supervisory authorities
The data subject has the right to make a complaint/claim with the supervisory authorities if the data subject believes that the law has been broken when processing personal data related to them.

9. Storage, archival and deletion of personal data

All patient data is tagged and recorded in a centrally maintained digital patient system. In compliance with the law, patient data is transferred to the national Kanta archive (Act on the Electronic Processing of Client Data in Healthcare and Social Welfare, 159/2007).
Suomen Ihosairaala Oy has no paper patient data archives outside the patient system.
Basic data forms printed out from the patient system and signed by the data subjects are stored in locked archival cabinets, which are only accessible to designated staff. The basic data forms are destroyed after the statutory archival period, complying with legal provisions in such a manner that neither third parties nor bystanders can access them.
All storage, archival and deletion of patient register data is performed in compliance with the decrees and regulations in force (Ministry of Social Affairs and Health Decree on Patient Documents 298/2009, Act on the Status and Rights of Patients 785/1992, Act on the Electronic Processing of Client Data in Healthcare and Social Welfare, 159/2007, Archives Act 831/1994).

10. General description of protection of patient register, technical and organisational protection measures

Only healthcare professionals participating in the treatment of the patient in question may process patient data. Data is processed to the extent required by the task and treatment in question. All staff receive sufficient training and induction in using the system at the beginning of their employment relationship. Induction includes system training for new staff. We ensure that our healthcare professionals know how to use the system. The system administrator of the patient register system has received more detailed training/induction from the software supplier.
The controller has protected the data in the appropriate technical and organisational manner.
Data recorded in the digital patient register system is protected by the users’ personal credentials, which have been set in accordance with the scope of the tasks in question, accounting for the need to perform the statutory marking of patient documents. User rights are issued after the creation of an employment contract/contract with an independent medical practitioner. User rights are personal and the related passwords must be changed at regular intervals. User rights and the processing of data recorded in the patient system are monitored using a log.
All staff who process patient data are bound by an obligation to maintain confidentiality and secrecy, as well as the legislation and general data protection guidelines applicable to the sector, both during and after the employment relationship. All user rights are cancelled as soon as the employment relationship and/or independent medical practitioner contract ends.

11. Administration of the register

Suomen Ihosairaala Oy (Ihosairaala Finland Ltd) is responsible for the centralised administration of the register.
The controller monitors changes to data protection legislation and official guidelines, and reserves the right to update this privacy policy accordingly.
The person in charge of data protection issues at the Ihosairaala is Jenny Toikander,

12. Forms

‘Request-for-inspection’ and ‘Data rectification’ forms can be found on our Forms-page.
Please send signed forms to the address:
Suomen Ihosairaala Oy
Salomonkatu 1
00100 Helsinki